Comment What could go wrong? (Score 1) 146
ED-209 anyone???
http://www.youtube.com/watch?v=mrXfh4hENKs
ED-209 anyone???
http://www.youtube.com/watch?v=mrXfh4hENKs
"But no one's going to give me grief if I'm wearing a gas mask pouch."
I will happily laugh at you if I see you wearing one of those. Especially if it's at the Airport...
My personal preference is a bike messenger bag. It's a man-purse of course and many will laugh at me for that. But at least I don't look like I'm geared up for the zombie apocalypse.
Cheers!
Shouldn't it be 'walk upstairs'? We know he lives in his parents' basement. (All IT people eventually end up working/living in a basement. We feel more comfortable there for some reason...)
I can't help notice how many posts on this thread have encouraged the poster to 'run and hide' since he's OBVIOUSLY broken the law.
I'm not so sure that's the case. Many vulnerabilities such as this (especially SQL injections) can be discovered using nothing more than Google dorks. In that scenario, It is Google that has (unintentionally) breached the company's security. The poster is simply accessing information that has been indexed by a search engine. Even if he found it directly, that doesn't mean he broke the law. I've found SQL injections on accident before simply by typing "O'Donnell" into a text box. (That single quote is a Bit**!)
I'm not saying that is what happened here. But don't assume that one has to break the law in order to discover a vulnerability. Google has indexed credit card numbers and other sensitive data in the past. And it's not Google's fault either. If their web spiders are able to scrape it, some web developer screwed up BIG-TIME...
As for advice, I'd say-
1. Document all communications with the company in question. It'll be harder for them to accuse you of wrongdoing if your first action was to inform them of the problem.
2. DO NOT EXPLOIT THIS VULNERABILITY! Or you actually are breaking the law.
3. Report the company in question to VISA, MC, AMEX, etc. You might have broken the law. But they are in violation of PCI-DSS. The company might not listen to you, but once they've got the card companies breathing down their neck they'll correct the issue. (Or they'll get shut down by their payment processor.)
4. Consult an attorney. You are in jeopardy of being blamed if the company does lose data, regardless of the facts. Regardless of legality, it doesn't sound like you have done anything immoral. Don't be their scapegoat.
5. If they do come after you, BE LOUD! The company in question has through their incompetence, screwed their customers. At some point they will have to weigh their options. The person who said 'There's no such thing as bad publicity.' did so before there was such a thing as the Internet. If coming after you means losing customers?
In any case, Good Luck! I've been where you are and it's not a comfortable position...
Saliva causes cancer, but only if swallowed in small amounts over a long period of time. -- George Carlin